Trinity uses nmap in the film The Matrix Reloaded to hack the city - PowerPoint PPT Presentation

Trinity uses nmap in the film “The Matrix Reloaded” to hack the city power grid

Benjamin uses nmap in “Who Am I - No System is Safe” to compromise the local power company, causing a brief blackout

Lisbeth uses nmap in the film “The Girl with the Dragon Tattoo” (just in general)

E-Lita explains the nmap functionality in the soft-core porn “HaXXXor Volume 1: No Longer Floppy”

own exercise create your Marc Müller, Ellen Maeckelburg Network Scanning - Advanced Port Scanning with nmap 9

Motjvatjon Master your NMap skills in order to learn more about your network! 10

Motjvatjon • Where is it relevant? – Security scanning, informatjon gathering, hacking • Who uses it? – Private people, security personnel, hackers • Why is it interestjng? – Discover networks, essentjal skill in IT, awareness 11

Lecture overview • Learning Goals • Port scanning basics – TCP – UDP • Difgerent scanning techniques • Idle scan • Cool NMap features • Scan Detectjon 12

Summary/ Learning Goals The Following Learning Goals are Covered in the Lecture PreLab Lab Understand how port scanning works X Learn difgerent scanning techniques X X Understand and observe how scans are detected by X X X target hosts Firewalls basics X X Mastering the scanning tools NMAP X X Execute fancy stealthy scans and discover running services X 13

Port scanning basics What are ports? • Allow difgerent services to use single physical connectjons • Range 0-65535 – Well-known ports 0-1023 – Registered ports 1024-49151 – Ephemeral ports 49151-65535 6

Port scanning basics TCP Handshake: SYN SYN SYN/ACK SYN/ACK RST RST A B A B A B ACK Successful Unsuccessful Unexpected (RFC: 793) 6

Port scanning basics UDP: UDP packet UDP packet UDP packet A B A B A B ICMP error UDP packet type 3 Code 3, no response -> closed -> open tpe 3 Code 1,2,9... -> open|filtered -> filtered 6

Difgerent scanning techniques ● TCP – connect scan – SYN scan – ACK scan – FIN scan – Idle scan ● UDP scan ● Host Discovery 7

Idle scan source: htups://advancedinternetuechnologies.fjles.wordpress.com/2012/01/ipv4-header.png 7

Idle scan Target Idle host 1: SYN / ACK 2: RST (IP Id) Scanner 9

Idle scan 4: Open: Target SYN/ACK to Idle host 5: RST 3: SYN with src Idle host address of Idle host IP Id increased Scanner 10

Idle scan Target Idle host 6: SYN / ACK 7: RST (IP Id) Scanner 11

Idle scan Requirements : • can predict IP Id (IP fragmentation identifier) • probe Idle host for current sequence number • host is truly idle Conclusions: • IP Id increased by 1 Port is closed or filtered • IP Id increased by > 1 Port is open 12

Cool NMap features Applicatjon & OS version detectjon sudo nmap -A -6 dead:beef:11ab:1:92e2:baff:fe2a:8fc7 sudo nmap -O -sV -6 dead:beef:11ab:1:92e2:baff:fe2a:8fc7 Starting Nmap 7.60 ( https://nmap.org ) at 2019-03-15 08:48 CET Nmap scan report for hrtbrthtz5egd-v6.eduroam.dynamic.rbg.tum.de (dead:beef:11ab:1:92e2:baff:fe2a:8fc7) Host is up (0.000023s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) Device type: general purpose Running: Linux 3.X OS CPE: cpe:/o:linux:linux_kernel:3 OS details: Linux 3.7 - 4.4 Network Distance: 0 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.90 seconds 6

Cool NMap features Host detectjon • -sL List Scan simply list targets to scan • -sP Ping Scan go no further than determining if host is online 6

Cool NMap features Automatjon • You can determine how the output of NMap should look like -> can use it for automatjon -oN output in normal format -oX XML -oS s|<rIpt kIddi3 -oG Grepable 6

Scan detectjon How to detect port scans? • Scan characteristjcs: – One src IP address, many destjnatjon ports – High volume of difgerent connected ports 13